GitLab answers: What is GDPR?

GDPR overview

The General Data Protection Regulation (GDPR) is a European privacy law that is set to go into effect in May 2018. The GDPR replaces the Data Protection Directive that was put into place in 1995. Although it is a European law, it will impact any entity that does business in or offers services and goods to people in the European Union (EU), regardless of their location. It will also apply to any entity that collects and analyzes the data of EU residents or businesses.

The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Under GDPR, private information is defined as any information that is directly or indirectly identifiable to an individual. This includes information such as social security numbers, location data, online identifiers, pseudonymous data, and genetic or biometric data, such as fingerprints and facial recognition.

Right of access: Data controllers will be required to fulfill requests from individuals seeking access to their private data or information on how it is being used. Data collectors and processors will have to detail how the personal information was obtained, how and why it is being used, as well as with whom the company is sharing the information. Companies will also be mandated to provide the individual with a copy of their personal records.

Notice of security breaches: Individuals must be alerted within 72 hours if their personal data has been hacked or otherwise compromised.

“Right to erasure”: Individuals can decide they no longer want their personal data to be processed and request that all of their information be deleted.

Data portability: Individuals will be permitted to move their personal data from one company to another upon request, without opposition from the data controller.

Key GDPR requirements

Companies within and outside of the European Union will be required to make a number of adjustments to the way they access and process the personal data of EU residents in order to be GDPR compliant.

The identification of information controllers and processors are key components to creating GDPR compliance.

What are controllers?

Controllers are a company or organization that determines the purpose for and manner in which personal data is processed.

Controllers can also be processors.

What are processors?

Data processors take the information controllers have accumulated and process the personal information.

GitLab’s CI/CD tools fall under the processor category.

The responsibility of GDPR compliance is heavily imposed on controllers. Data controllers are responsible and liable for GDPR compliance in the processing of personal data, even in cases when they have outsourced processing activities to another company. Nonetheless, processors are also obligated to be GDPR compliant under the law.

These are some of the key requirements for GDPR compliance:

Maintain a legal basis for data collection and processing

Companies must have a legal basis for the processing of personal data.

Be transparent

Companies must inform individuals about the collection of personal data as well as why and how the data is being used. Information must also be provided about how the data is being stored and the length of time for which it will be held.

Individuals must also be advised when their information is transferred internationally.

Employ a data protection officer

Companies that have personal data collection or processing at the core of their business will be required to hire or appoint a data protection officer (DPO).

Specifically, a DPO will be required by GDPR if a company processes a large amount of personal or sensitive data regarding criminal offenses or convictions. Companies that regularly and systematically monitor the personal data of individuals on a large scale are also required to have a DPO in order to be GDPR compliant.

Preserve records

Under GDPR, companies will be required to maintain processing records for personal data. The records can be requested by the supervisory authority at any time.

Implement data protection by default and design

Data protection safeguards must be built into products and services during the earliest stages of development.

Provide notification of a security breach

Individuals must be directly notified of security breaches that affect their personal data within 72 hours.

Supervisory authorities must be advised of security breaches that present a risk to the rights and freedom of individuals within 72 hours. The general public must be immediately alerted of security breaches that are sufficiently serious.

Creating a GDPR action plan

Controllers and processors of personal data must create a GDPR action plan that encompasses all of the new requirements.

GDPR checklist to ensure compliance:

Identify information controllers

Identify information processors

Train data controllers and/or collectors on GDPR requirements

Ensure that partner vendors are GDPR compliant

Designate or employ a Data Protection Officer, if necessary

Conduct data mapping to determine what information your company collects and how it is transferred, processed, and stored

Build products and services using principles of privacy by design and default

Create a system that continuously monitors data handling and illustrates GDPR compliance

Educate customers of their rights under GDPR

Create a notification action plan for security breaches

Security and Compliance with GitLab

As the first single application for software development, security, and operations (DevSecOps), GitLab’s tools offer a streamlined process that can keep your entire team synchronized and your most important data secure. Our tool features Kerberos-powered user authentication and a block secret push file system that allows your company to prevent sensitive files from being accidentally pushed into a live repository.

GitLab’s CI/CD tools also offer a number of features that may help your team members remain in compliance with your company’s legal, licensing and other requirements. Some of those tools include:

Push rules: This allows you to reject code that does not comply with company policy.

Strict code review: You have the option to require multiple approvals from a certain set of team members before a merge request can be accepted.

Multiple options for user roles and permissions: Access and permissions can be managed at many levels, with five different options for user roles and settings for external users. Permissions can be set according to one’s role as opposed to allowing only read or write access to a repository.

Log forwarding: Logs can be forwarded to a central system for better tracking.

Membership locking: Group owners can maintain control of their project by blocking other members from adding other parties to the project.

GitLab offers built-in application security testing scanners that routinely check code for common issues during development and deployment. Our scanners also monitor previously patched vulnerabilities in order to ensure that our security-sensitive services are guarded.

The supervisory authority is the United Kingdom’s Information Commissioner’s Office (ICO). The independent regulatory office is a public body that reports to Parliament. The ICO is tasked with “uphold[ing] information rights in the public interest, promoting openness by public bodies and data privacy for individuals,” according to the authority’s website.

Privacy by design occurs when data protection is embedded into each step of the personal information processing life cycle, including processing product development, software development, and IT systems. Privacy by default means that the strictest privacy settings are automatically in place when an application is released to the public.

Companies should designate an employee to oversee GDPR compliance and determine where that responsibility will fall within the organization, i.e. security department. Some companies will be required to hire or designate a data protection officer to oversee GDPR compliance within their organization.

GDPR calls for some companies to designate a Data Protection Officer (DPO) depending on the nature and amount of personal data the entity processes. The officer, who must be an expert in data protection law, will be tasked with establishing and maintaining a data security plan and GDPR compliance. DPOs are required for public entities as well as companies that manage or store large amounts of personal data, process or hold special personal information or routinely monitor the personal data of private individuals.

No, GitLab is a processor of information. While GitLab will be GDPR compliant by the deadline, simply using GitLab’s services does not make your company compliant. As the controller of the information, you must ensure that the collection of personal data is GDPR compliant as well as other processors in your pipeline.

Breaches in GDPR compliance can range from a stern, written warning for first-time, unintentional infractions to a fine of €20 million or 4 percent of the company’s previous year’s total global revenue, whichever is greater.